Author Topic: Newbie: VPN Phases 1 and 2-need clear explanation  (Read 43108 times)

balagvasi

  • Newbie
  • *
  • Posts: 46
  • Karma: +0/-0
    • View Profile
Newbie: VPN Phases 1 and 2-need clear explanation
« on: January 06, 2009, 10:49:07 am »
Hi all,

FoA, sorry for my long post. I am new to Security field with Juniper as my first product. Before getting hands on, i want to know the clear picture involved in both the phases of VPN. I have browsed thorough several articles and let me post my inferences on the VPN. Please correct me wherever i go wrong.

Considering the IKE phase with Main mode, there are 6 packets(Three 2-way exchanges) involved in forming a tunnel:

1st exchange: Both the peers exchange their encryption(DES,3DES, AES) and authentication algorithms(MD5, SHA1) and arrive at a conclusion

2nd exchange: Diffie Hellman shared secret is computed by exchanging the public keys. In this exchange itself, the encryption keys (DES,3DES, AES) and authentication keys (MD5, SHA1) are negotiated. This negotiation is encrypted by the Shared secret and decrypted by the respective private keys at the gateways.And both the ends shud possess the same keys, since it is going to be symmetric

3rd exchange: Both the gateways authenticate themselves to each other. Assuming a pre-shared key authentication mechanism(let me not dive into Digital certificates or PKI at this level), how it takes place? I mean how the pre-shared secret is compared at both the ends? My opinion is that the pre-shared secret is hashed and encrypted by the private key. So at the receivin end it is decrypted by the Diffie-HellMan shared secret and now it has a hashed value of the pre-shared secret. This receiving gateway then hashes the pre-shared secret on its side and compares with the received one. If it matches, then authenticity is guaranteed.

Pls correct me for errors, if any. Also what actually happens in Phase 2? Apart from the ESP/AH negotiations in Phase 2, what else is there?

Wil be rejoiced if sumone corrects me

c0d3r

  • Sr. Member
  • ****
  • Posts: 459
  • Karma: +0/-0
    • View Profile
    • My Blog
Re: Newbie: VPN Phases 1 and 2-need clear explanation
« Reply #1 on: January 06, 2009, 12:45:38 pm »
- - - - - - - - - - - - - - - - - - - - - - - -
http://www.corelan.be:8800
- - - - - - - - - - - - - - - - - - - - - - - -

screenie.

  • Global Moderator
  • Atomic Playboy
  • *****
  • Posts: 1315
  • Karma: +1/-0
    • View Profile
Re: Newbie: VPN Phases 1 and 2-need clear explanation
« Reply #2 on: January 06, 2009, 02:06:37 pm »
Preshared ket is used for authentication, not for encryption. Google for hmac for een explanation.
Regards, Screenie
------------------------
JNSS, JNCIA, JNCIS, JNCIP, JNCI

ric0

  • Full Member
  • ***
  • Posts: 183
  • Karma: +0/-0
    • View Profile
Re: Newbie: VPN Phases 1 and 2-need clear explanation
« Reply #3 on: January 07, 2009, 04:45:43 am »
In short (and bluntly bypassing the details):

Phase1 is the part where the peers authenticate each other and agree on the key exchange channel. This is the part where the settings and keys for encryptiom channel are made.

Phase2 is the part where the networks/hosts are negotiated and the encryption path is established. This is where the data encryption is agreed.
JNCIA-FWV - JNCIA-IDP

balagvasi

  • Newbie
  • *
  • Posts: 46
  • Karma: +0/-0
    • View Profile
Re: Newbie: VPN Phases 1 and 2-need clear explanation
« Reply #4 on: January 07, 2009, 10:02:32 am »
Hi ric0,

Thnx. But I can't get a point u made. This is where the data encryption is agreed..

I have a wild opinion that the encryption/hashing algorithms and the respective keys are agreed in Phase 1 itself. Both the peers should be having the same keys for encryption/hashing. Do you mean that these are happening Phase 2? Sorry if i misinterpreted

screenie.

  • Global Moderator
  • Atomic Playboy
  • *****
  • Posts: 1315
  • Karma: +1/-0
    • View Profile
Re: Newbie: VPN Phases 1 and 2-need clear explanation
« Reply #5 on: January 07, 2009, 11:44:27 am »
In phase I proposols are exchanged, first match is selected. Then, after the 6 (or 3 in agressive mode) messages a tunnel is build, encrypted with the encryption algorithm selected from proposol. The encryption key is calculated with Diffie-Hellman. over this chanel phase II is negotiated. Then phase II is started. again proposals are exchanged, protocols choosen.  So phase I an II can use different protocols and will use different keys. One thing more is done, like Ric0 sumarized very well: Networks (and services) are exchanged. This is registired in the proxy-id. On a Juniper with a poicy based vpn proxy-id come from the policy. In routebased vpn's the are all zero's by default. You can manualy override the proxy ID (in gui advanced setting in phase II settings).

When you select in your (phase II) proposol  PFS diffy-hellman is used again every phase II rekey, every hour normally.

Evert 8 hours a rekey occurs for phase I.

You can have more networks then one encrypted between two gateways. If using policybased VPN you define multiple phase II over a single phase I. The proxy-is are now use to differentiate the VPN's.

I hope it's more clear now.
Regards, Screenie
------------------------
JNSS, JNCIA, JNCIS, JNCIP, JNCI

ric0

  • Full Member
  • ***
  • Posts: 183
  • Karma: +0/-0
    • View Profile
Re: Newbie: VPN Phases 1 and 2-need clear explanation
« Reply #6 on: January 08, 2009, 01:35:28 am »
Hi ric0,

Thnx. But I can't get a point u made. This is where the data encryption is agreed..

I have a wild opinion that the encryption/hashing algorithms and the respective keys are agreed in Phase 1 itself. Both the peers should be having the same keys for encryption/hashing. Do you mean that these are happening Phase 2? Sorry if i misinterpreted

That is why I had second thoughts on my post and why I was saying that I was blunt.

If you look at IPsec very basicly then Phase1 is the Keying channel and Phase2 is the channel over which data is passed.

Phase1 does use encryption et al, but it uses it to protect the key exchange. When Phase1 is ready, the next step is taken to start the negotiation of Phase2.

JNCIA-FWV - JNCIA-IDP

balagvasi

  • Newbie
  • *
  • Posts: 46
  • Karma: +0/-0
    • View Profile
Re: Newbie: VPN Phases 1 and 2-need clear explanation
« Reply #7 on: January 08, 2009, 05:11:03 am »
Screenie,

Let me go by your words:
1. The encryption key is calculated with Diffie-Hellman. over this chanel phase II is negotiated.
So the phase 2 negotiations (involving ESP, AH, proxy-ids) are encrypted by the common encryption key (DES/3DES/AES) agreed in 1st phase?

In Juniper docs it is mentioned that, after negotiating for ESP and AH in Phase 2, the peers will again negotiate for the encryption (DES/3DES/AES) keys and hashing keys (MD5/SHA1). My query @ this pt is, What is the necessity to renegotiate these keys again in Phase 2, while its already decided on Phase 1? If there is a need, then in what way its going to help? :-(

And i agree with ur n ric0's words on proxy-ids


« Last Edit: January 08, 2009, 05:24:26 am by balagvasi »

c0d3r

  • Sr. Member
  • ****
  • Posts: 459
  • Karma: +0/-0
    • View Profile
    • My Blog
Re: Newbie: VPN Phases 1 and 2-need clear explanation
« Reply #8 on: January 08, 2009, 06:00:06 am »
the keys are negotiated in phase1 using DH
These session keys are used for phase2
If you have specified to do PFS (using DH) in Phase2 as well, then a new session key is generated again in phase2 using the DH key exchange algo.

That is why re-negotiation *can* happen in Phase2... 
(it is in fact a good idea to do rekeying, because the session key is important for the overall security. So the more the keys are renegotiated, the safer it is....  )

the encryption algo that is used in Phase1 is only used in main mode (not in aggresive mode), in packet5 of P1. The initiator of the connection uses the encryption algo (defined as part of the P1 proposals) to encrypt the local ID (= IP gateway) and then sends it to the responder.  This is the main identification. This is the only reason why an encryption algo is specified in Phase 1
The encryption algo of Phase 2 is used for the real data encryption, and thus can be different than the encryption algo in Phase1



- - - - - - - - - - - - - - - - - - - - - - - -
http://www.corelan.be:8800
- - - - - - - - - - - - - - - - - - - - - - - -

ric0

  • Full Member
  • ***
  • Posts: 183
  • Karma: +0/-0
    • View Profile
Re: Newbie: VPN Phases 1 and 2-need clear explanation
« Reply #9 on: January 08, 2009, 06:27:24 am »
Keep in mind that Phase1 and Phase2 have seperate encryption and hashing.

First the peers identify, then they agree on encryption and hashing for the Key Exchange. Remember that the Key Exchange is a secure channel to exchange the dynamic keys for Phase2.

Phase2 makes it own keys that are exchange through the Phase1 (IKE) channel. It can have it's own encryption and hashing settings.
JNCIA-FWV - JNCIA-IDP

screenie.

  • Global Moderator
  • Atomic Playboy
  • *****
  • Posts: 1315
  • Karma: +1/-0
    • View Profile
Re: Newbie: VPN Phases 1 and 2-need clear explanation
« Reply #10 on: January 08, 2009, 08:44:24 am »
And to complecate things: You can have more then 1 PII over a single PI this makes it necesary to use different keys in PII from PI otherswise every PII session over the PI would use the same key initialy.
Regards, Screenie
------------------------
JNSS, JNCIA, JNCIS, JNCIP, JNCI

balagvasi

  • Newbie
  • *
  • Posts: 46
  • Karma: +0/-0
    • View Profile
Re: Newbie: VPN Phases 1 and 2-need clear explanation
« Reply #11 on: January 08, 2009, 09:07:50 am »
That throws sum light on my doubts.

Hi c0d3r,

the keys are negotiated in phase1 using DH.These session keys are used for phase2
- So the keys decided in Phase 1 (Encryption and hashing keys) are used to encrypt and authenticate the Phase 2 negotiations? Is this what you mean?

And also, Phase 2 wil derive its own Encryption and hashing keys. Only These set of keys wil encrypt and authenticate the application data thereafter. Am i correct?

Lemme cum back to screenie's post, once i am answered.

c0d3r

  • Sr. Member
  • ****
  • Posts: 459
  • Karma: +0/-0
    • View Profile
    • My Blog
Re: Newbie: VPN Phases 1 and 2-need clear explanation
« Reply #12 on: January 08, 2009, 10:18:06 am »
The session key that was calculated and exchanged via DH in Phase1 is used to set up a secure tunnel to exchange Phase2 information

In Phase2, a new set of keys (shared secret) is derived, and an IPSec SA is formed.
Nonces are exchanged which will provide replay protection. These nonces are used to generate new shared secret keys and will prevent replay attacks
« Last Edit: January 08, 2009, 10:23:09 am by c0d3r »
- - - - - - - - - - - - - - - - - - - - - - - -
http://www.corelan.be:8800
- - - - - - - - - - - - - - - - - - - - - - - -

balagvasi

  • Newbie
  • *
  • Posts: 46
  • Karma: +0/-0
    • View Profile
Re: Newbie: VPN Phases 1 and 2-need clear explanation
« Reply #13 on: January 09, 2009, 06:38:17 am »
The session key that was calculated and exchanged via DH in Phase1 is used to set up a secure tunnel to exchange Phase2 information

I hope, session keys in phase 1, u r refferin to the encryption and hashing keys agreed. Is that so?

c0d3r

  • Sr. Member
  • ****
  • Posts: 459
  • Karma: +0/-0
    • View Profile
    • My Blog
Re: Newbie: VPN Phases 1 and 2-need clear explanation
« Reply #14 on: January 09, 2009, 07:24:37 am »
there is only a key for encryption. T=here is no hashing key. The hashing method (MD5/SHA) exchange in the initial proposal is only used to hash existing data

Look at packet 5 of the P1 exchange on http://www.corelan.be:8800/index.php/2008/06/25/building-ipsec-vpn-with-juniper-netscreen-screenos-cjfv/
It describes the exchange of the identification (=validation that the key was calculated properly)

Sender sends Identification (Local ID) + the Hash of (ID + session key)

So the key is used for encryption, and is added to the ID string (and then hashed)
But the key in itself is not used to salt the hashing...
- - - - - - - - - - - - - - - - - - - - - - - -
http://www.corelan.be:8800
- - - - - - - - - - - - - - - - - - - - - - - -

balagvasi

  • Newbie
  • *
  • Posts: 46
  • Karma: +0/-0
    • View Profile
Re: Newbie: VPN Phases 1 and 2-need clear explanation
« Reply #15 on: January 09, 2009, 08:00:48 am »
Ok. So the hashing key derived in 1st phase is just used for authentication in packets 5 and 6 and not used later? And the phase 2 exchanges are just encrypted by the session key derived in Phase 1? So there is no need to authenticate the Phase 2 proposals via an hashing key?

And BTW,I am trying to access your site frm the day i was known abt it, but in vain. Nobody around here me too.Can you just mail me the contents of building-ipsec-vpn-with-juniper-netscreen-screenos-cjfv in your site to me? Hope i wil get sum insight bfor posting further queries. My id is balag_vasi@yahoo.co.in

Tnx in advance

c0d3r

  • Sr. Member
  • ****
  • Posts: 459
  • Karma: +0/-0
    • View Profile
    • My Blog
Re: Newbie: VPN Phases 1 and 2-need clear explanation
« Reply #16 on: January 09, 2009, 08:18:37 am »
there is no hashing key - there's only an encryption key (session key).
This key is used for encryption, and is hashed as part of packets 5 and 6 so both sides can validate that the session key was calculated correctly at both sides
(so the key in itself is not exchanged, only the hash of the key+localID is exchanged)
If the hash matches at both sides, then
- the ID's are the same
- the keys are the same
result = both peers are authenticated AND the session key is the same on both ends

What do you mean with "authenticate Phase 2 proposals with the hashing key ?"
The P2 proposals are exchanged via the secure channel that already exists in Phase 1
Once these P2 proposals are exchanged, a new encryption channel is set up (using the proposals that were exchanged)

My site runs on port 8800 - maybe that is why it is being blocked for you now.
Perhaps some firewall blocks access to this port...   Any chance you can open the port ?

I could mail the contents, but it may look scrambled, and it would be static (I sometimes change minor mistakes or add stuff to my posts, in order to keep them updated)







- - - - - - - - - - - - - - - - - - - - - - - -
http://www.corelan.be:8800
- - - - - - - - - - - - - - - - - - - - - - - -

c0d3r

  • Sr. Member
  • ****
  • Posts: 459
  • Karma: +0/-0
    • View Profile
    • My Blog
Re: Newbie: VPN Phases 1 and 2-need clear explanation
« Reply #17 on: January 09, 2009, 08:36:18 am »
by the way: just noticed something in your initial post about encryption
when using public/private key pairs, data is not encrypted with the private key, but with the public key of the other side.
Then the other side can decrypt it with its own private key

after all
- private key needs to be private, so you are only one who has access to it
- public key is public

if data would be encrypted with your private key, and if it could be decrypted with the public key, then it could be decrypted by anyone...  which defeats the purpose of encryption, right ?

This process is more secure than symmetric key encryption, but it is slower.

With symmetric keys, encryption and decryption uses the same key.  It is faster, but less secure... which is why rekeying should occur
- - - - - - - - - - - - - - - - - - - - - - - -
http://www.corelan.be:8800
- - - - - - - - - - - - - - - - - - - - - - - -

balagvasi

  • Newbie
  • *
  • Posts: 46
  • Karma: +0/-0
    • View Profile
Re: Newbie: VPN Phases 1 and 2-need clear explanation
« Reply #18 on: January 09, 2009, 12:13:26 pm »
there is no hashing key - there's only an encryption key (session key).
This key is used for encryption, and is hashed as part of packets 5 and 6 so both sides can validate that the session key was calculated correctly at both sides
(so the key in itself is not exchanged, only the hash of the key+localID is exchanged)
If the hash matches at both sides, then
- the ID's are the same
- the keys are the same
result = both peers are authenticated AND the session key is the same on both ends


Got it. By saying "Session key" u r reffering to the DH shared secret, i hope. The session Key + the Local ID are hashed as per ur words. Is this hashing done by the hashing algorithms agreed in 1st two packets?

Also how the Phase 2 proposals are encrypted? Is it again by the Session Key or.....?

Also how are the Phase 2 proposals encrypted? is it by the DH share secret(Session Key

c0d3r

  • Sr. Member
  • ****
  • Posts: 459
  • Karma: +0/-0
    • View Profile
    • My Blog
Re: Newbie: VPN Phases 1 and 2-need clear explanation
« Reply #19 on: January 09, 2009, 02:39:40 pm »
Quote
Got it. By saying "Session key" u r reffering to the DH shared secret, i hope
Yes

Quote
The session Key + the Local ID are hashed as per ur words. Is this hashing done by the hashing algorithms agreed in 1st two packets?
Yes

Quote
Also how the Phase 2 proposals are encrypted? Is it again by the Session Key
Yes - up until that point, the only shared secret that is known between the two sides is the session key
- - - - - - - - - - - - - - - - - - - - - - - -
http://www.corelan.be:8800
- - - - - - - - - - - - - - - - - - - - - - - -